b'         U.S. Department of Energy\n         Office of Inspector General\n         Office of Audits & Inspections\n\n\n\n\nSpecial Report\n\nReview of the Compromise of\nSecurity Test Materials at the Y-12\nNational Security Complex\n\n\n\n\nDOE/IG-0875                       October 2012\n\x0c                                 Department of Energy\n                                    Washington, DC 20585\n\n                                       October 26, 2012\n\nMEMORANDUM FOR THE UNDER SECRETARY OF ENERGY\n\n\nFROM:                    Gregory H. Friedman\n                         Inspector General\n\nSUBJECT:                 INFORMATION: Special Report on "Review of the Compromise of\n                         Security Test Materials at the Y-12 National Security Complex"\n\nBACKGROUND\n\nFollowing the July 28, 2012, security breach at the Y-12 National Security Complex (Y-12), the\nDepartment of Energy\'s Office of Health, Safety and Security (HSS) was tasked with conducting\na comprehensive inspection of the site\'s security organization. The inspection, initiated on\nAugust 27, 2012, included both practical exercises and tests designed to evaluate the knowledge,\nskills and abilities of the site\'s Protective Force.\n\nAt approximately 11:00 pm on the night of August 29, 2012, while conducting performance\ntesting, an HSS inspector discovered a copy of what he identified to be a security knowledge test\nin the patrol vehicle of a WSI-Oak Ridge (WSI-OR) Protective Force official who was escorting\nhim. The test was one that had been scheduled to be administered to a sample of the Protective\nForce officers on the following day. The inspector immediately raised concerns regarding what\nappeared to be a compromise of the upcoming test. Eventually, testing activities were suspended\nto permit HSS officials to rewrite the test to ensure that the integrity of the inspection was\nmaintained.\n\nAs noted in our prior Special Report on Inquiry into the Security Breach at the National Nuclear\nSecurity Administration\'s Y-12 National Security Complex (DOE/IG-0868, August 2012), the\nJuly 28 security breach reflected multiple system failures. As such, in our continued monitoring\nof the situation, the Office of Inspector General initiated a special review into alleged\ncompromise of the HSS inspection.\n\nCONCLUSIONS AND OBSERVATIONS\n\nOur inquiry confirmed that the security knowledge test, including answers to the test questions,\nhad been compromised and that it had been distributed in advance of the test to numerous WSI-\nOR Captains, Lieutenants, and Security Police Officers (SPO), the very people whose knowledge\nwas to have been evaluated as part of this process. Our conclusion was based on interviews with\nFederal and contractor officials who were involved with or had knowledge of the test distribution\nand on a review of supporting information pertinent to the actions taken by those individuals;\nboth before and following the discovery of the compromised test in the patrol vehicle. WSI-OR\npersonnel testified uniformly that there was no intent to cheat on the HSS inspection. While we\nhad no direct evidence to the contrary, we found the credibility of this testimony to be\n\x0cquestionable, especially in light of a number of actions that we identified related to the\ntransmission, review and distribution of the test that, at best, demonstrated a lack of due care and\nnegligence. The failure to properly safeguard the test prior to its administration, especially given\nthe intense focus on Y-12 and the security concerns at the site, was, in our opinion, inexplicable\nand inexcusable. Specifically:\n\n      \xe2\x80\xa2   Despite the fact that the document was labeled as a test and was initially distributed via\n          encrypted email to individuals appointed as "Trusted Agents," WSI-OR officials treated\n          the document as if it were a training aid, mentioned its receipt at daily Protective Force\n          supervisor meetings, and widely distributed it to a variety of officers. Of equal concern, a\n          senior B&W Technical Services Y-12, LLC (B&W)1 official, who also serves at another\n          high-security Department site, indicated that he had taken similar actions to coordinate\n          inspection-related materials with Protective Force management prior to administration\n          while serving at the other site.\n\n      \xe2\x80\xa2   While one would expect that in normal situations testing materials would be withheld\n          from the entity being tested, we learned that such was not the case in the Y-12 situation.\n          The Federal security official at Y-12 who was provided the test for review and comment\n          told us that it was not his role to provide input on the test. HSS officials explained that\n          Federal security officials at sites often lack detailed knowledge regarding security and\n          Protective Force operations that is needed in the execution of contractor knowledge tests.\n          Further, as a consequence, a senior security representative of the contractor was placed in\n          a position of reviewing and providing comments on a knowledge test designed to\n          evaluate its own performance. These HSS officials also noted that because of the "eyes\n          on, hands off" approach to contactor governance at high security sites, it was necessary to\n          distribute performance testing materials to security contractors for review prior to\n          administration of the test.\n\nWhile we do not believe that they excuse actions taken in this case, we observed several\nopportunities to improve the integrity and transparency of the knowledge testing process.\nAlthough the Federal official who initially distributed the test took action to protect its contents\nby encrypting the email used to transmit it and sending it only to "Trusted Agents," the email did\nnot contain specific instructions for protecting the test against compromise. The transmitting\nemail only asked for comments on the applicability of the security questions to the Y-12\nenvironment. The lack of detailed instructions is particularly relevant in that the Department\nOrder regarding the designation of "Trusted Agents" does not specifically mention that the\npractice is also applicable to security knowledge tests. The Order instead indicates that it may be\nused in performance testing exercises, such as force-on-force and similar exercises. A contractor\nofficial cited the lack of a direct reference to test questions in the Order as one factor that\ncontributed to their handling of the test and its ultimate compromise.\n\n\n\n\n1\n    B&W is the prime contractor responsible for operating the Y-12 facility.\n                                                 2\n\x0c                                        Test Distribution\n\nBased on our interviews and testing, we determined that HSS sent the test to B&W and the\nNNSA Production Office (NPO) with a request that it be reviewed for accuracy. We noted that\nthe email message from HSS stated that one of the two attached documents was "the proposed\nknowledge test." B&W then forwarded the email to a WSI-OR manager, an individual that had\nnot been designated as a Trusted Agent, requesting comment. The manager forwarded the email\nto two other Protective Force officers, neither of whom had been designated as Trusted Agents.\nOne of the officers provided the requested comments and returned the attachments to the\nmanager who returned them to B&W. While the manager told us that this was the last he saw of\nthe test until the night it was discovered in the patrol vehicle, the distribution by contractor\nmanagement officials set the stage for the eventual compromise of the test.\n\nBy the next day, the test material appears to have lost its identity and wide spread distribution\nbegan. After commenting on the test, the officer that provided comments actually discussed the\nreceipt of what he categorized as revised "job knowledge questions" during the Protective\nForce\'s Plan of the Day meeting. He followed up the discussion by emailing the questions to the\nProtective Force Shift Captains for use as a job knowledge aid in preparing their SPOs for the\nHSS inspection. At least two of the Captains forwarded the test to their subordinate officers, and\none forwarded it to two additional Lieutenants. One of those Lieutenants in turn made copies for\ndistribution to the SPOs and further forwarded the test to his subordinates. One of those\nindividuals then passed the email attachments to the official in whose patrol vehicle the test was\nultimately found.\n\n                                     Guidance and Direction\n\nThe Department Order on Protective Force was unclear as to the requirements for the use of\nTrusted Agents. In particular, Department Order 473.3, Protection Program Operations, Annex\n2, Performance Testing, stated that Trusted Agents may be designated in preparing for and\nconducting performance tests of the Protective Force. According to the Order, performance tests\ninclude: Limited Scope Performance Tests; Force on Force exercises; Command Post exercises;\nCommand Field exercises; and, Joint Testing exercises. The Order does not specifically require\nthat Trusted Agents be designated in any of these circumstances, and notably does not make\nmention of job knowledge testing.\n\nWhile HSS officials told us that the use of Trusted Agents applied to both performance and job\nknowledge testing, the responsible B&W official told us he thought that Trusted Agents were\nonly for use in relation to performance testing \xe2\x80\x93 not for general job knowledge tests. That same\nofficial also indicated that in a similar position at another Department site, he had treated job\nknowledge questions in the same manner as he had in the recent Y-12 event. An HSS official\ntold us that HSS did not have a procedure specific to the designation of Trusted Agents for job\nknowledge testing.\n\nNone of the emails to which the HSS test was attached provided specific direction to the\nrecipient regarding the responsibility to limit distribution of the documents. Although the test\nwas clearly marked as a test (see Figure 1), the Protective Force supervisors we spoke with stated\nthat they had not noticed the specific header of the document. We found this purported lack of\nattention not to be credible. Rather, the Protective Force supervisors told us they just looked\n\n                                                3\n\x0cover the questions that were contained therein, determined that they looked similar to those that\nwere already being used to prepare the SPOs for the upcoming inspection, and decided to further\ndistribute them as a training aid.\n\n\n\n\n                          Figure 1 \xe2\x80\x93 HSS Job Knowledge Test Header\n                                       Contractor Governance\n\nAs with the recent intrusion at the Highly Enriched Uranium Materials Facility described in our\nSpecial Report on Inquiry into the Security Breach at the National Nuclear Security\nAdministration\'s Y-12 National Security Complex (DOE/IG-0868, August 2012), problems with\nthe administration of the National Nuclear Security Administration\'s contractor governance\nsystem appeared to have had a role in the compromise of the test materials at Y-12, certainly, the\nassurance system did not prevent the compromise. As previously noted, the cognizant Federal\nsecurity official at Y-12 told us he did not believe that it was his role to provide input on the test.\nAlthough not explicitly stated, this position was consistent with the failure to take an active role\nin contractor governance that we observed during our review of the recent intrusion.\n\nAs noted by HSS officials, the issue at Y-12 does not appear to be unique to that site. A senior\nHSS official told us that Federal officials at many other sites lacked the knowledge necessary to\nprovide informed feedback on knowledge testing materials and as such, the materials were\nprovided directly to contractors. In our view, Federal officials should have an active role in\nreviewing, commenting and controlling testing material. The use of contractors is not an optimal\nsituation and, if necessary because of gaps in coverage by Federal officials, should be minimized\nand tightly controlled.\n\nPositive Actions\n\nAs a result of the situation at Y-12, and during our inquiry, we were told that HSS initiated\naction to update its internal procedures to ensure that documents are clearly marked and that the\nrole of Trusted Agents is better defined and communicated. We noted, however, that the new,\nupdated version of the Trusted Agent agreement provided to us still did not specifically address\nthe applicability to job knowledge testing. In addition, HSS stated that it began using email\nencryption features that required receipt acknowledgement and prevented emails from being\nforwarded. Further, in at least one case, test materials were validated in person rather than via\nemail. In comments to our draft report, HSS indicated that these practices would be\ninstitutionalized in a pending revision to its internal guidance.\n\n\n\n                                                   4\n\x0cImpact and Path Forward\n\nWhile the actions taken to date are positive, additional effort is necessary to ensure that the\nunderlying problems with Departmental criteria and National Nuclear Security Administration\'s\ngovernance system are addressed. In this case, harm was averted by mere happenstance when\nthe compromised testing material was discovered prior to the time the test was actually\nadministered. Based on disclosures by contractor officials, there is also a possibility that\ncompromises of test materials may have occurred at other sites without discovery. Security of\nthe Nation\'s most sensitive nuclear material storage and processing facilities must not be left to\nchance.\n\nRECOMMENDATIONS\n\nTo help restore confidence in the integrity of the Department\'s protective forces, in addition to\nthe actions recently initiated, we recommend that the Under Secretary for Nuclear\nSecurity/Administrator, National Nuclear Security Administration in conjunction with the Chief,\nHealth, Safety and Security:\n\n   1. Update Department directives, as necessary, to clearly define when Trusted Agents are to\n      be used;\n\n   2. Revise internal procedures and practices to ensure that all communications related to HSS\n      testing are marked and protected in a manner to avoid any ambiguity as to whether they\n      are to be shared; and,\n\n   3. Clarify the contractor assurance process to address concerns with the range of authorities\n      granted to and responsibilities of Federal oversight officials.\n\nOTHER MATTER\n\nDuring the course of our inquiry, B&W officials brought a matter to our attention related to\ninconsistencies in materials provided by a WSI-OR Officer during its investigation of the test\ncompromise. The results of our review of that matter are discussed in Attachment 1.\n\nMANAGEMENT REACTION AND OFFICE OF INSPECTOR GENERAL RESPONSE\n\nNNSA did not agree that its implementation of the governance process was a contributory cause\nof the knowledge test compromise. Rather, management concluded that the compromise was\ncaused by abuse of the Trusted Agent concept by a contractor official. Accordingly,\nmanagement suggested that we revise our recommendation related to the contractor assurance\nsystem to reflect that view. Management agreed to work with HSS to implement our\nrecommendations regarding the integrity of security testing at all sites.\n\nWe recognize that there was a breakdown of controls at the contractor level regarding the\nTrusted Agent concept. However, our analysis also led us to conclude that there was a more\nfundamental issue involving the lack of in-depth security knowledge and involvement of Federal\noversight officials. This issue directly contributed, in our opinion, to the environment that\nnecessitated placing the testing materials in the hands of the contractor in the first place. We\n\n                                                 5\n\x0crecognize that, in some cases, the contractor has to be involved as a Trusted Agent to ensure the\nsafety and efficacy of the performance tests; however, the use of contractors as Trusted Agents in\nknowledge tests of their own operations should be minimized to the extent practical by reliance\non Federal officials who are knowledgeable of contractor operations. Accordingly, we did not\nmodify our recommendation regarding the clarification of the governance process.\n\nHSS management concurred with the Recommendations 1 and 2 and stated that it had initiated\naction to address the issues identified during our review. In particular, HSS stated that it would\nupdate both its trusted agent form and appraisal process guide to clarify the expectations for use\nof trusted agents as they apply to knowledge testing. With regard to Recommendation 3, HSS\nmanagement deferred to NNSA for action. Finally, HSS noted its disagreement with the benefit\nto be gained from the implementation of one of the recommendations in our draft report. We\nagreed with management\'s assessment and removed that recommendation from the final report.\n\nManagement\'s comments and planned corrective actions were responsive to our\nrecommendations. Management\'s comments are included in their entirety in Attachment 3.\n\nAttachments\n\ncc:   Deputy Secretary\n      Associate Deputy Secretary\n      Administrator, National Nuclear Security Administration\n      General Counsel\n      Chief of Staff\n\n\n\n\n                                                 6\n\x0c                                                                                       Attachment 1\n\n\n                          ALLEGED DOCUMENT SUBSTITUTION\n\nOn August 31, 2012, B&W Technical Services Y-12, LLC (B&W), the management and\noperating contractor at Y-12, issued a Cure Notice to WSI-OR, its Protective Force\nsubcontractor. The notice required WSI-OR to correct the issues that led to the compromise of\nthe test material. On September 19, 2012, the Office of Inspector General (OIG) was contacted\nby B&W officials concerning the response to the Cure Notice that B&W had received from\nWSI-OR. B&W was concerned about two documents contained within the response.\nSpecifically, copies of email messages found behind separate binder tabs appeared to contain an\nidentical email message (dated August 23) that stated:\n\n   "\xe2\x80\xa6Attached are the revised set of Job Knowledge questions that I spoke of this morning\n   in POD [Plan of the Day]. Please remember the sensitivity issue with these questions. It\n   would not be a good idea for these to be left lying around or for a SPO [Security Police\n   Officer] to have these in hand during an audit. It is a useful tool to see where your\n   personnel stand. Most of the information has been reviewed in the classes at CTF\n   [Central Training Facility] over the past couple of weeks."\n\nHowever, one version had the phrase "\xe2\x80\xa6or for a SPO to have these in hand during an audit"\nremoved. B&W was concerned that WSI-OR was attempting to cover-up actions by its\npersonnel to cheat on the HSS inspection.\n\nBased on work conducted during our review, we were unable to conclusively discern whether the\nexistence of the two emails was the result of an administrative error or an actual attempt to\ncover-up information that the sender felt could indicate an attempt to cheat. We were told,\nhowever, that the modified email was inadvertently included in the WSI-OR response to B&W\'s\ncure notice. Specifically, following the discovery of test materials in a Sergeant\'s patrol vehicle,\nWSI-OR launched an internal investigation into the matter. As part of the investigation, the\nOfficer that initially distributed the document was asked to provide all inspection-related\nmaterials he had in his possession. The Officer told us that while the message in his original\nemail referred to a "sensitivity issue" with the documents and stated that "\xe2\x80\xa6it would not be a\ngood idea for these to be left lying around or for a SPO to have these in hand during an audit\xe2\x80\xa6,"\nhe was attempting to convey that the attachments were need to know information specific to the\nProtective Force; not that they included a test that would be administered by HSS.\n\nThe Officer explained to us that he became concerned that the email\'s message would be\nmisconstrued after WSI-OR officials did not understand his meaning when he attempted to\nexplain it. As such, he told us that he considered altering the email \xe2\x80\x93 going so far as to delete the\nphrase regarding the SPOs \xe2\x80\x93 before he determined that this course of action may cause trouble as\nthe original email had been sent to several individuals. He ultimately determined that the best\ncourse of action would be to provide a written explanation of what he meant by the sensitivity\nissue along with the original email. He told us that unfortunately, in his haste to provide his\ndocuments to WSI-OR, he must have inadvertently printed out the modified email message\nrather than the original.\n\n\n\n\n                                                  7\n\x0c                                                                        Attachment 1 (continued)\n\n\nWithin hours of realizing how the modified document came to be in the possession of WSI-OR,\nthe Officer approached WSI-OR General Counsel to provide his explanation. The Officer also\nreported this information to the OIG as part of our ongoing review. Ultimately, WSI-OR\nterminated the Officer because it believed that the Officer had been less than truthful regarding\nstatements made about the email discrepancy.\n\n\n\n\n                                                8\n\x0c                                                                                  Attachment 2\n\n\n                                 RELATED REPORTS\n\n\xe2\x80\xa2   Special Report on Inquiry into the Security Breach at the National Nuclear Security\n    Administration\'s Y-12 National Security Complex (DOE/IG-0868, August 2012). This\n    review was initiated to examine the circumstances surrounding the July 28, 2012, security\n    breach at Y-12 National Security Complex (Y-12). We found that the Y-12 security\n    incident represented multiple systems failures on several levels. For example, we\n    identified troubling displays of ineptitude in responding to alarms, failures to maintain\n    critical security equipment, over reliance on compensatory measures, misunderstanding\n    of security protocols, poor communications, and weaknesses in contract and resource\n    management. In addition, we determined that contractor governance and Federal\n    oversight failed to identify and correct early indicators of these multiple system\n    breakdowns. We made several recommendations to further enhance security at Y-12 and\n    across the complex. In response, management identified corrective actions it had\n    initiated or completed.\n\n\xe2\x80\xa2   Special Report on Management Challenges at the Department of Energy \xe2\x80\x93 Fiscal Year\n    2012 (DOE/IG-0858, November 2011). As part of our annual report to identify the most\n    significant challenges facing the Department of Energy (Department), we identified eight\n    challenges and three areas for the "watch list" for Fiscal Year 2012. Specifically, the\n    report identified contract and financial assistance award management as a management\n    challenge and safeguards and security as an area that warrants special attention from\n    Department officials. We also noted in our report that there may be significant economy\n    of scale cost benefits associated with protective force contract consolidation that could\n    encourage a more uniform and consistent approach to protective force organization,\n    management, training, and equipment purchases.\n\n\xe2\x80\xa2   Inspection Report on Incident of Security Concern at the Y-12 National Security Complex\n    (DOE/IG-0785, January 2008). This review was initiated because we received an\n    allegation that unauthorized portable electronic devices (including laptop computers)\n    were introduced into a Limited Area which employs physical controls to prevent\n    unauthorized access to classified matter or special nuclear material at Y-12 and that this\n    breach in security was not properly reported. Our inspection substantiated the allegation\n    and identified additional concerns related to the incident. Specifically, we found that Y-\n    12 personnel discovered that an Oak Ridge National Laboratory employee had brought an\n    unclassified laptop computer into the Limited Area without following proper protocols,\n    the cyber security staff had not properly secured the laptop, the incident was not reported\n    until 6 days after it was discovered, and as many as 37 additional laptop computers may\n    been improperly introduced into the Limited Area. We made several recommendations\n    to further enhance the security of information systems and responses to incidents of\n    security concern. In response, management identified corrective actions taken, initiated,\n    or planned.\n\n\xe2\x80\xa2   Inspection Report on Protective Force Training at the Department of Energy\'s Oak Ridge\n    Reservation (DOE/IG-0694, June 2005). This inspection was initiated because we\n    received an allegation that a security police officer was given credit for training that was\n    not received at the Oak Ridge Reservation. The inspection concluded that there were\n                                             9\n\x0c                                                                     Attachment 2 (continued)\n\n\n    material shortcomings in the implementation of the protective force training program.\n    Specifically, we found that personnel spent about 40 percent less time on combat\n    readiness refresher training than that specified in the training plan, planned training time\n    was formally reported as actual training time, personnel routinely worked in excess of the\n    maximum threshold for safe operations of 60 hours per week, and personnel signed\n    attendance rosters for training not received. Because of the importance to the Nation\'s\n    security, several recommendations were made to ensure the protective force is properly\n    trained.\n\n\xe2\x80\xa2   Inspection Report on Protective Force Performance Test Improprieties (DOE/IG-0636,\n    January 2004). The inspection was initiated at the Y-12 Site Manager\'s request to\n    examine whether there had been a pattern over time of site security personnel\n    compromising protective force performance tests. Our inspection confirmed that the\n    results on a performance test may have been compromised as two protective force\n    personnel were inappropriately permitted to view the computer simulations of four\n    scenarios on the test. In addition, we were provided information that inappropriate\n    actions had occurred going back to the mid-1980s in connection with performance tests at\n    the Department\'s Oak Ridge complex. The National Nuclear Security Administration\n    concurred with our findings and recommendations made in our report and provided a\n    series of corrective actions that had been initiated or planned.\n\n\n\n\n                                             10\n\x0c                      Attachment 3\n\n\nMANAGEMENT COMMENTS\n\n\n\n\n        11\n\x0c     Attachment 3 (continued)\n\n\n\n\n12\n\x0c     Attachment 3 (continued)\n\n\n\n\n13\n\x0c     Attachment 3 (continued)\n\n\n\n\n14\n\x0c                                                                   IG Report No. DOE/IG-0875\n\n                           CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of its\nproducts. We wish to make our reports as responsive as possible to our customers\' requirements,\nand, therefore, ask that you consider sharing your thoughts with us. On the back of this form,\nyou may suggest improvements to enhance the effectiveness of future reports. Please include\nanswers to the following questions if applicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or\n   procedures of the inspection would have been helpful to the reader in understanding this\n   report?\n\n2. What additional information related to findings and recommendations could have been\n   included in the report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\'s overall\n   message more clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the issues\n   discussed in this report that would have been helpful?\n\n5. Please include your name and telephone number so that we may contact you should we have\n   any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at\n(202) 586-0948, or you may mail it to:\n                             Office of Inspector General (IG-1)\n                                     Department of Energy\n                                    Washington, DC 20585\n\n                                  ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact our office at (202) 253-2162.\n\x0cThis page intentionally left blank.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly\nand cost effective as possible. Therefore, this report will be available electronically through the\n                                Internet at the following address:\n\n              U.S. Department of Energy Office of Inspector General Home Page\n                                    http://energy.gov/ig\n\n  Your comments would be appreciated and can be provided on the Customer Response Form.\n\x0c'